Metadata and timestamps play a crucial role in digital forensics. They help investigators understand the history of a file—when it was created, modified, or accessed. These details allow forensic analysts to reconstruct timelines, verify user activity, detect tampering, and identify suspicious behavior.
This chapter focuses on metadata basics and the MAC time model, which is used by most file systems to track file activity.
What Is Metadata?
Metadata is “data about data.”
It describes information about a file rather than the file’s content.
Common metadata includes:
-
File name
-
File size
-
File type
-
Creation date
-
Modification date
-
Access date
-
Owner information
-
Permissions
-
File attributes
In forensics, metadata helps answer questions like:
-
When was the file created?
-
Who created or modified it?
-
Has it been accessed recently?
-
Was it altered during an attack?
MAC Times Explained
MAC stands for Modified, Accessed, and Created.
These are the three main timestamps recorded by many file systems. Some systems use additional timestamps, but MAC times form the core of timeline analysis.
M – Modified Time
The time when a file’s content was last changed.
Examples:
-
Editing a document
-
Saving a photo after editing
-
Changing data inside an archive
Modified time does not change when the filename or attributes are edited.
A – Accessed Time
The time when a file was last opened or viewed.
Examples:
-
Opening a PDF
-
Viewing an image
-
Running an executable
-
Reading a log file
Many operating systems update Access Time less frequently for performance reasons.
C – Created Time
The time when the file was first created on the system.
This timestamp is not always the same as the time the file was originally made.
For example:
-
Copying a file to a new drive creates a new Created Time.
-
Downloading a file assigns the time of download as the Created Time.
Created Time is often the most misleading timestamp if investigators do not interpret it correctly.
Additional Timestamps (Depending on File System)
Some file systems store more than three timestamps.
NTFS Additional Timestamps
NTFS stores four timestamps per file:
-
Created Time
-
Modified Time
-
Accessed Time
-
MFT Modified Time (metadata modification time)
MFT Modified Time changes when:
-
File is renamed
-
Permissions are edited
-
Attributes are altered
-
File is moved within the same partition
This makes NTFS extremely valuable for timeline reconstruction.
EXT4 Timestamps
EXT4 stores:
-
Access Time
-
Modified Time
-
Change Time (inode metadata change)
-
Birth Time (on modern systems)
“Change Time” is triggered by metadata updates, not file content changes.
APFS Timestamps
APFS has:
-
Creation Time
-
Modification Time
-
Access Time
-
Metadata Change Time
APFS uses nanosecond precision, making it one of the most accurate systems for timestamp tracking.
How Timestamps Help in Forensics
1. Building a Timeline
Investigators can reconstruct events such as:
-
When malware was installed
-
When sensitive files were accessed
-
When data exfiltration occurred
-
Which user was active at a given time
Timeline analysis is one of the most powerful forensic techniques.
2. Detecting Tampering
Timestamps help reveal suspicious behavior:
-
A file created long after system setup
-
Accessed times inconsistent with user activity
-
Modified times altered to hide actions
-
MFT times not matching creation times
Attackers may try to change timestamps, but inconsistencies usually expose them.
3. Identifying File Movement
Copying, moving, or renaming files affects timestamps differently depending on the file system.
This helps investigators understand actions like:
-
File copying to USB drives
-
Data staging before exfiltration
-
Renaming malware files
4. Correlating Logs and Events
Timestamps from:
-
System logs
-
Browser history
-
Network recordings
-
Application logs
can be compared with MAC times to confirm patterns of activity.
Timestamp Manipulation
Attackers often try to alter timestamps using tools or scripts. This is known as timestomping.
Common signs of timestomping:
-
All timestamps are identical
-
Creation time is older than modification time
-
Metadata change time conflicts with creation time
-
Timestamps outside realistic ranges
-
Files modified while user was inactive
Proper timeline analysis detects these anomalies.
Summary
Metadata and timestamps are core elements of digital forensic investigations. MAC times—Modified, Accessed, and Created—help analysts reconstruct events, detect tampering, identify user actions, and correlate logs. Different file systems store timestamps differently, but all provide crucial information that supports accurate and defensible forensic conclusions.